[BillinghamJ]

How so? Obviously they won’t be executing (or likely even analysing) any of the uploaded content.

Similarly, browsers should not generally be particularly vulnerable to malicious content being loaded with appropriate MIME types in appropriate containers (e.g. <img>)

It sounds like you should be asking how browsers protect users from malicious content. Perhaps you could elaborate?

[koolba]

You can perform a denial of service attack on a naive server with a maliciously crafted PNG. Just send a zip bomb and see what happens when it decompressed it. The naive approach will crash the server when it tries to malloc successively larger buffers.

https://www.bamsoftware.com/hacks/deflate.html

[rpearl]

They say right in the article that they're doing image resizes on the server, for instance. With a customized library too...Hope it's sandboxed well!

[nametube]

Image and Video codecs come under attack quite often see https://blog.sucuri.net/2016/05/imagemagick-remote-command-e...

In this context the image manipulation they do with pillow and the underlying libjpeg would be a potential source of vulnerabilities.

[acdha]

Significantly, it's not just libjpeg but every format supported by Pillow (http://pillow.readthedocs.io/en/3.4.x/handbook/image-file-fo...) — many of those vulnerabilities have historically been in obscure formats where the implementation has had far less attention than the mainline JPEG or PNG support.

[mintplant]

Yep, I remember multiple smaller art-centric sites getting hit in a wave by an ImageMagick RCE vulnerability. Database dumps, full source leaks, the works. Unsure whether it was the one you linked; it seems more recent than I thought.

[jasiek]

Here you go.

https://www.theregister.co.uk/2016/10/24/apple_security_upda...